*** src/kadmin/server/kadm_rpc_svc.c (revision 19480) --- src/kadmin/server/kadm_rpc_svc.c (local) *************** *** 250,255 **** --- 250,257 ---- krb5_data *c1, *c2, *realm; gss_buffer_desc gss_str; kadm5_server_handle_t handle; + size_t slen; + char *sdots; success = 0; handle = (kadm5_server_handle_t)global_server_handle; *************** *** 274,279 **** --- 276,283 ---- if (ret == 0) goto fail_name; + slen = gss_str.length; + trunc_name(&slen, &sdots); /* * Since we accept with GSS_C_NO_NAME, the client can authenticate * against the entire kdb. Therefore, ensure that the service *************** *** 296,303 **** fail_princ: if (!success) { ! krb5_klog_syslog(LOG_ERR, "bad service principal %.*s", ! gss_str.length, gss_str.value); } gss_release_buffer(&min_stat, &gss_str); krb5_free_principal(kctx, princ); --- 300,307 ---- fail_princ: if (!success) { ! krb5_klog_syslog(LOG_ERR, "bad service principal %.*s%s", ! slen, gss_str.value, sdots); } gss_release_buffer(&min_stat, &gss_str); krb5_free_principal(kctx, princ); *** src/kadmin/server/misc.c (revision 19480) --- src/kadmin/server/misc.c (local) *************** *** 171,173 **** --- 171,182 ---- return kadm5_free_principal_ent(handle->lhandle, &princ); } + + #define MAXPRINCLEN 125 + + void + trunc_name(size_t *len, char **dots) + { + *dots = *len > MAXPRINCLEN ? "..." : ""; + *len = *len > MAXPRINCLEN ? MAXPRINCLEN : *len; + } *** src/kadmin/server/misc.h (revision 19480) --- src/kadmin/server/misc.h (local) *************** *** 45,47 **** --- 45,49 ---- #ifdef SVC_GETARGS void kadm_1(struct svc_req *, SVCXPRT *); #endif + + void trunc_name(size_t *len, char **dots); *** src/kadmin/server/ovsec_kadmd.c (revision 19480) --- src/kadmin/server/ovsec_kadmd.c (local) *************** *** 992,997 **** --- 992,999 ---- rpcproc_t proc; int i; const char *procname; + size_t clen, slen; + char *cdots, *sdots; client.length = 0; client.value = NULL; *************** *** 1000,1009 **** (void) gss_display_name(&minor, client_name, &client, &gss_type); (void) gss_display_name(&minor, server_name, &server, &gss_type); ! if (client.value == NULL) client.value = "(null)"; ! if (server.value == NULL) server.value = "(null)"; a = inet_ntoa(rqst->rq_xprt->xp_raddr.sin_addr); proc = msg->rm_call.cb_proc; --- 1002,1021 ---- (void) gss_display_name(&minor, client_name, &client, &gss_type); (void) gss_display_name(&minor, server_name, &server, &gss_type); ! if (client.value == NULL) { client.value = "(null)"; ! clen = sizeof("(null)") -1; ! } else { ! clen = client.length; ! } ! trunc_name(&clen, &cdots); ! if (server.value == NULL) { server.value = "(null)"; + slen = sizeof("(null)") - 1; + } else { + slen = server.length; + } + trunc_name(&slen, &sdots); a = inet_ntoa(rqst->rq_xprt->xp_raddr.sin_addr); proc = msg->rm_call.cb_proc; *************** *** 1016,1029 **** } if (procname != NULL) krb5_klog_syslog(LOG_NOTICE, "WARNING! Forged/garbled request: %s, " ! "claimed client = %s, server = %s, addr = %s", ! procname, client.value, ! server.value, a); else krb5_klog_syslog(LOG_NOTICE, "WARNING! Forged/garbled request: %d, " ! "claimed client = %s, server = %s, addr = %s", ! proc, client.value, ! server.value, a); (void) gss_release_buffer(&minor, &client); (void) gss_release_buffer(&minor, &server); --- 1028,1041 ---- } if (procname != NULL) krb5_klog_syslog(LOG_NOTICE, "WARNING! Forged/garbled request: %s, " ! "claimed client = %.*s%s, server = %.*s%s, addr = %s", ! procname, clen, client.value, cdots, ! slen, server.value, sdots, a); else krb5_klog_syslog(LOG_NOTICE, "WARNING! Forged/garbled request: %d, " ! "claimed client = %.*s%s, server = %.*s%s, addr = %s", ! proc, clen, client.value, cdots, ! slen, server.value, sdots, a); (void) gss_release_buffer(&minor, &client); (void) gss_release_buffer(&minor, &server); *** src/kadmin/server/schpw.c (revision 19480) --- src/kadmin/server/schpw.c (local) *************** *** 40,45 **** --- 40,47 ---- int numresult; char strresult[1024]; char *clientstr; + size_t clen; + char *cdots; ret = 0; rep->length = 0; *************** *** 258,266 **** free(ptr); clear.length = 0; ! krb5_klog_syslog(LOG_NOTICE, "chpw request from %s for %s: %s", inet_ntoa(((struct sockaddr_in *)&remote_addr)->sin_addr), ! clientstr, ret ? krb5_get_error_message (context, ret) : "success"); krb5_free_unparsed_name(context, clientstr); if (ret) { --- 260,271 ---- free(ptr); clear.length = 0; ! clen = strlen(clientstr); ! trunc_name(&clen, &cdots); ! krb5_klog_syslog(LOG_NOTICE, "chpw request from %s for %.*s%s: %s", inet_ntoa(((struct sockaddr_in *)&remote_addr)->sin_addr), ! clen, clientstr, cdots, ! ret ? krb5_get_error_message (context, ret) : "success"); krb5_free_unparsed_name(context, clientstr); if (ret) { *** src/kadmin/server/server_stubs.c (revision 19480) --- src/kadmin/server/server_stubs.c (local) *************** *** 14,19 **** --- 14,20 ---- #include /* inet_ntoa */ #include /* krb5_klog_syslog */ #include "misc.h" + #include #define LOG_UNAUTH "Unauthorized request: %s, %s, client=%s, service=%s, addr=%s" #define LOG_DONE "Request: %s, %s, %s, client=%s, service=%s, addr=%s" *************** *** 237,242 **** --- 238,298 ---- return 0; } + static int + log_unauth( + char *op, + char *target, + gss_buffer_t client, + gss_buffer_t server, + struct svc_req *rqstp) + { + size_t tlen, clen, slen; + char *tdots, *cdots, *sdots; + + tlen = strlen(target); + trunc_name(&tlen, &tdots); + clen = client->length; + trunc_name(&clen, &cdots); + slen = server->length; + trunc_name(&slen, &sdots); + + return krb5_klog_syslog(LOG_NOTICE, + "Unauthorized request: %s, %.*s%s, " + "client=%.*s%s, service=%.*s%s, addr=%s", + op, tlen, target, tdots, + clen, client->value, cdots, + slen, server->value, sdots, + inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); + } + + static int + log_done( + char *op, + char *target, + char *errmsg, + gss_buffer_t client, + gss_buffer_t server, + struct svc_req *rqstp) + { + size_t tlen, clen, slen; + char *tdots, *cdots, *sdots; + + tlen = strlen(target); + trunc_name(&tlen, &tdots); + clen = client->length; + trunc_name(&clen, &cdots); + slen = server->length; + trunc_name(&slen, &sdots); + + return krb5_klog_syslog(LOG_NOTICE, + "Request: %s, %.*s%s, %s, " + "client=%.*s%s, service=%.*s%s, addr=%s", + op, tlen, target, tdots, errmsg, + clen, client->value, cdots, + slen, server->value, sdots, + inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); + } + generic_ret * create_principal_2_svc(cprinc_arg *arg, struct svc_req *rqstp) { *************** *** 275,283 **** || kadm5int_acl_impose_restrictions(handle->context, &arg->rec, &arg->mask, rp)) { ret.code = KADM5_AUTH_ADD; ! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_create_principal", ! prime_arg, client_name.value, service_name.value, ! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); } else { ret.code = kadm5_create_principal((void *)handle, &arg->rec, arg->mask, --- 331,338 ---- || kadm5int_acl_impose_restrictions(handle->context, &arg->rec, &arg->mask, rp)) { ret.code = KADM5_AUTH_ADD; ! log_unauth("kadm5_create_principal", prime_arg, ! &client_name, &service_name, rqstp); } else { ret.code = kadm5_create_principal((void *)handle, &arg->rec, arg->mask, *************** *** 287,296 **** else errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); ! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_create_principal", ! prime_arg, errmsg, ! client_name.value, service_name.value, ! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); /* no need to check for NULL. Even if it is NULL, atleast error_code will be returned */ } --- 342,349 ---- else errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); ! log_done("kadm5_create_principal", prime_arg, errmsg, ! &client_name, &service_name, rqstp); /* no need to check for NULL. Even if it is NULL, atleast error_code will be returned */ } *************** *** 341,349 **** || kadm5int_acl_impose_restrictions(handle->context, &arg->rec, &arg->mask, rp)) { ret.code = KADM5_AUTH_ADD; ! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_create_principal", ! prime_arg, client_name.value, service_name.value, ! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); } else { ret.code = kadm5_create_principal_3((void *)handle, &arg->rec, arg->mask, --- 394,401 ---- || kadm5int_acl_impose_restrictions(handle->context, &arg->rec, &arg->mask, rp)) { ret.code = KADM5_AUTH_ADD; ! log_unauth("kadm5_create_principal", prime_arg, ! &client_name, &service_name, rqstp); } else { ret.code = kadm5_create_principal_3((void *)handle, &arg->rec, arg->mask, *************** *** 355,364 **** else errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); ! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_create_principal", ! prime_arg, errmsg, ! client_name.value, service_name.value, ! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); /* no need to check for NULL. Even if it is NULL, atleast error_code will be returned */ } --- 407,414 ---- else errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); ! log_done("kadm5_create_principal", prime_arg, errmsg, ! &client_name, &service_name, rqstp); /* no need to check for NULL. Even if it is NULL, atleast error_code will be returned */ } *************** *** 406,414 **** || !kadm5int_acl_check(handle->context, rqst2name(rqstp), ACL_DELETE, arg->princ, NULL)) { ret.code = KADM5_AUTH_DELETE; ! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_delete_principal", ! prime_arg, client_name.value, service_name.value, ! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); } else { ret.code = kadm5_delete_principal((void *)handle, arg->princ); if( ret.code == 0 ) --- 456,463 ---- || !kadm5int_acl_check(handle->context, rqst2name(rqstp), ACL_DELETE, arg->princ, NULL)) { ret.code = KADM5_AUTH_DELETE; ! log_unauth("kadm5_delete_principal", prime_arg, ! &client_name, &service_name, rqstp); } else { ret.code = kadm5_delete_principal((void *)handle, arg->princ); if( ret.code == 0 ) *************** *** 416,425 **** else errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); ! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_delete_principal", ! prime_arg, errmsg, ! client_name.value, service_name.value, ! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); /* no need to check for NULL. Even if it is NULL, atleast error_code will be returned */ } --- 465,472 ---- else errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); ! log_done("kadm5_delete_principal", prime_arg, errmsg, ! &client_name, &service_name, rqstp); /* no need to check for NULL. Even if it is NULL, atleast error_code will be returned */ } *************** *** 469,477 **** || kadm5int_acl_impose_restrictions(handle->context, &arg->rec, &arg->mask, rp)) { ret.code = KADM5_AUTH_MODIFY; ! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_modify_principal", ! prime_arg, client_name.value, service_name.value, ! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); } else { ret.code = kadm5_modify_principal((void *)handle, &arg->rec, arg->mask); --- 516,523 ---- || kadm5int_acl_impose_restrictions(handle->context, &arg->rec, &arg->mask, rp)) { ret.code = KADM5_AUTH_MODIFY; ! log_unauth("kadm5_modify_principal", prime_arg, ! &client_name, &service_name, rqstp); } else { ret.code = kadm5_modify_principal((void *)handle, &arg->rec, arg->mask); *************** *** 480,489 **** else errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); ! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_modify_principal", ! prime_arg, errmsg, ! client_name.value, service_name.value, ! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); /* no need to check for NULL. Even if it is NULL, atleast error_code will be returned */ } --- 526,533 ---- else errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); ! log_done("kadm5_modify_principal", prime_arg, errmsg, ! &client_name, &service_name, rqstp); /* no need to check for NULL. Even if it is NULL, atleast error_code will be returned */ } *************** *** 546,554 **** } else ret.code = KADM5_AUTH_INSUFFICIENT; if (ret.code != KADM5_OK) { ! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_rename_principal", ! prime_arg, client_name.value, service_name.value, ! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); } else { ret.code = kadm5_rename_principal((void *)handle, arg->src, arg->dest); --- 590,597 ---- } else ret.code = KADM5_AUTH_INSUFFICIENT; if (ret.code != KADM5_OK) { ! log_unauth("kadm5_rename_principal", prime_arg, ! &client_name, &service_name, rqstp); } else { ret.code = kadm5_rename_principal((void *)handle, arg->src, arg->dest); *************** *** 557,566 **** else errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); ! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_rename_principal", ! prime_arg, errmsg, ! client_name.value, service_name.value, ! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); } free_server_handle(handle); free(prime_arg1); --- 600,607 ---- else errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); ! log_done("kadm5_rename_principal", prime_arg, errmsg, ! &client_name, &service_name, rqstp); } free_server_handle(handle); free(prime_arg1); *************** *** 614,622 **** arg->princ, NULL))) { ret.code = KADM5_AUTH_GET; ! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, funcname, ! prime_arg, client_name.value, service_name.value, ! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); } else { if (handle->api_version == KADM5_API_VERSION_1) { ret.code = kadm5_get_principal_v1((void *)handle, --- 655,662 ---- arg->princ, NULL))) { ret.code = KADM5_AUTH_GET; ! log_unauth(funcname, prime_arg, ! &client_name, &service_name, rqstp); } else { if (handle->api_version == KADM5_API_VERSION_1) { ret.code = kadm5_get_principal_v1((void *)handle, *************** *** 636,646 **** else errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); ! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, funcname, ! prime_arg, ! errmsg, ! client_name.value, service_name.value, ! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); } free_server_handle(handle); --- 676,683 ---- else errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); ! log_done(funcname, prime_arg, errmsg, ! &client_name, &service_name, rqstp); } free_server_handle(handle); *************** *** 688,696 **** NULL, NULL)) { ret.code = KADM5_AUTH_LIST; ! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_get_principals", ! prime_arg, client_name.value, service_name.value, ! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); } else { ret.code = kadm5_get_principals((void *)handle, arg->exp, &ret.princs, --- 725,732 ---- NULL, NULL)) { ret.code = KADM5_AUTH_LIST; ! log_unauth("kadm5_get_principals", prime_arg, ! &client_name, &service_name, rqstp); } else { ret.code = kadm5_get_principals((void *)handle, arg->exp, &ret.princs, *************** *** 700,710 **** else errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); ! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_get_principals", ! prime_arg, ! errmsg, ! client_name.value, service_name.value, ! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); } free_server_handle(handle); --- 736,743 ---- else errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); ! log_done("kadm5_get_principals", prime_arg, errmsg, ! &client_name, &service_name, rqstp); } free_server_handle(handle); *************** *** 755,763 **** ret.code = kadm5_chpass_principal((void *)handle, arg->princ, arg->pass); } else { ! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_chpass_principal", ! prime_arg, client_name.value, service_name.value, ! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); ret.code = KADM5_AUTH_CHANGEPW; } --- 788,795 ---- ret.code = kadm5_chpass_principal((void *)handle, arg->princ, arg->pass); } else { ! log_unauth("kadm5_chpass_principal", prime_arg, ! &client_name, &service_name, rqstp); ret.code = KADM5_AUTH_CHANGEPW; } *************** *** 767,776 **** else errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); ! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_chpass_principal", ! prime_arg, errmsg, ! client_name.value, service_name.value, ! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); } free_server_handle(handle); --- 799,806 ---- else errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); ! log_done("kadm5_chpass_principal", prime_arg, errmsg, ! &client_name, &service_name, rqstp); } free_server_handle(handle); *************** *** 828,836 **** arg->ks_tuple, arg->pass); } else { ! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_chpass_principal", ! prime_arg, client_name.value, service_name.value, ! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); ret.code = KADM5_AUTH_CHANGEPW; } --- 858,865 ---- arg->ks_tuple, arg->pass); } else { ! log_unauth("kadm5_chpass_principal", prime_arg, ! &client_name, &service_name, rqstp); ret.code = KADM5_AUTH_CHANGEPW; } *************** *** 840,849 **** else errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); ! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_chpass_principal", ! prime_arg, errmsg, ! client_name.value, service_name.value, ! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); } free_server_handle(handle); --- 869,876 ---- else errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); ! log_done("kadm5_chpass_principal", prime_arg, errmsg, ! &client_name, &service_name, rqstp); } free_server_handle(handle); *************** *** 892,900 **** ret.code = kadm5_setv4key_principal((void *)handle, arg->princ, arg->keyblock); } else { ! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_setv4key_principal", ! prime_arg, client_name.value, service_name.value, ! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); ret.code = KADM5_AUTH_SETKEY; } --- 919,926 ---- ret.code = kadm5_setv4key_principal((void *)handle, arg->princ, arg->keyblock); } else { ! log_unauth("kadm5_setv4key_principal", prime_arg, ! &client_name, &service_name, rqstp); ret.code = KADM5_AUTH_SETKEY; } *************** *** 904,913 **** else errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); ! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_setv4key_principal", ! prime_arg, errmsg, ! client_name.value, service_name.value, ! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); } free_server_handle(handle); --- 930,937 ---- else errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); ! log_done("kadm5_setv4key_principal", prime_arg, errmsg, ! &client_name, &service_name, rqstp); } free_server_handle(handle); *************** *** 956,964 **** ret.code = kadm5_setkey_principal((void *)handle, arg->princ, arg->keyblocks, arg->n_keys); } else { ! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_setkey_principal", ! prime_arg, client_name.value, service_name.value, ! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); ret.code = KADM5_AUTH_SETKEY; } --- 980,987 ---- ret.code = kadm5_setkey_principal((void *)handle, arg->princ, arg->keyblocks, arg->n_keys); } else { ! log_unauth("kadm5_setkey_principal", prime_arg, ! &client_name, &service_name, rqstp); ret.code = KADM5_AUTH_SETKEY; } *************** *** 968,977 **** else errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); ! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_setkey_principal", ! prime_arg, errmsg, ! client_name.value, service_name.value, ! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); } free_server_handle(handle); --- 991,998 ---- else errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); ! log_done("kadm5_setkey_principal", prime_arg, errmsg, ! &client_name, &service_name, rqstp); } free_server_handle(handle); *************** *** 1023,1031 **** arg->ks_tuple, arg->keyblocks, arg->n_keys); } else { ! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_setkey_principal", ! prime_arg, client_name.value, service_name.value, ! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); ret.code = KADM5_AUTH_SETKEY; } --- 1044,1051 ---- arg->ks_tuple, arg->keyblocks, arg->n_keys); } else { ! log_unauth("kadm5_setkey_principal", prime_arg, ! &client_name, &service_name, rqstp); ret.code = KADM5_AUTH_SETKEY; } *************** *** 1035,1044 **** else errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); ! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_setkey_principal", ! prime_arg, errmsg, ! client_name.value, service_name.value, ! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); } free_server_handle(handle); --- 1055,1062 ---- else errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); ! log_done("kadm5_setkey_principal", prime_arg, errmsg, ! &client_name, &service_name, rqstp); } free_server_handle(handle); *************** *** 1097,1105 **** ret.code = kadm5_randkey_principal((void *)handle, arg->princ, &k, &nkeys); } else { ! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, funcname, ! prime_arg, client_name.value, service_name.value, ! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); ret.code = KADM5_AUTH_CHANGEPW; } --- 1115,1122 ---- ret.code = kadm5_randkey_principal((void *)handle, arg->princ, &k, &nkeys); } else { ! log_unauth(funcname, prime_arg, ! &client_name, &service_name, rqstp); ret.code = KADM5_AUTH_CHANGEPW; } *************** *** 1119,1128 **** else errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); ! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, funcname, ! prime_arg, errmsg, ! client_name.value, service_name.value, ! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); } free_server_handle(handle); free(prime_arg); --- 1136,1143 ---- else errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); ! log_done(funcname, prime_arg, errmsg, ! &client_name, &service_name, rqstp); } free_server_handle(handle); free(prime_arg); *************** *** 1185,1193 **** arg->ks_tuple, &k, &nkeys); } else { ! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, funcname, ! prime_arg, client_name.value, service_name.value, ! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); ret.code = KADM5_AUTH_CHANGEPW; } --- 1200,1207 ---- arg->ks_tuple, &k, &nkeys); } else { ! log_unauth(funcname, prime_arg, ! &client_name, &service_name, rqstp); ret.code = KADM5_AUTH_CHANGEPW; } *************** *** 1207,1216 **** else errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); ! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, funcname, ! prime_arg, errmsg, ! client_name.value, service_name.value, ! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); } free_server_handle(handle); free(prime_arg); --- 1221,1228 ---- else errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); ! log_done(funcname, prime_arg, errmsg, ! &client_name, &service_name, rqstp); } free_server_handle(handle); free(prime_arg); *************** *** 1253,1262 **** rqst2name(rqstp), ACL_ADD, NULL, NULL)) { ret.code = KADM5_AUTH_ADD; ! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_create_policy", ! prime_arg, client_name.value, service_name.value, ! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); ! } else { ret.code = kadm5_create_policy((void *)handle, &arg->rec, arg->mask); --- 1265,1273 ---- rqst2name(rqstp), ACL_ADD, NULL, NULL)) { ret.code = KADM5_AUTH_ADD; ! log_unauth("kadm5_create_policy", prime_arg, ! &client_name, &service_name, rqstp); ! } else { ret.code = kadm5_create_policy((void *)handle, &arg->rec, arg->mask); *************** *** 1265,1275 **** else errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); ! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_create_policy", ! ((prime_arg == NULL) ? "(null)" : prime_arg), ! errmsg, ! client_name.value, service_name.value, ! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); } free_server_handle(handle); gss_release_buffer(&minor_stat, &client_name); --- 1276,1284 ---- else errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); ! log_done("kadm5_create_policy", ! ((prime_arg == NULL) ? "(null)" : prime_arg), errmsg, ! &client_name, &service_name, rqstp); } free_server_handle(handle); gss_release_buffer(&minor_stat, &client_name); *************** *** 1310,1318 **** if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context, rqst2name(rqstp), ACL_DELETE, NULL, NULL)) { ! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_delete_policy", ! prime_arg, client_name.value, service_name.value, ! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); ret.code = KADM5_AUTH_DELETE; } else { ret.code = kadm5_delete_policy((void *)handle, arg->name); --- 1319,1326 ---- if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context, rqst2name(rqstp), ACL_DELETE, NULL, NULL)) { ! log_unauth("kadm5_delete_policy", prime_arg, ! &client_name, &service_name, rqstp); ret.code = KADM5_AUTH_DELETE; } else { ret.code = kadm5_delete_policy((void *)handle, arg->name); *************** *** 1321,1331 **** else errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); ! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_delete_policy", ! ((prime_arg == NULL) ? "(null)" : prime_arg), ! errmsg, ! client_name.value, service_name.value, ! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); } free_server_handle(handle); gss_release_buffer(&minor_stat, &client_name); --- 1329,1337 ---- else errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); ! log_done("kadm5_delete_policy", ! ((prime_arg == NULL) ? "(null)" : prime_arg), errmsg, ! &client_name, &service_name, rqstp); } free_server_handle(handle); gss_release_buffer(&minor_stat, &client_name); *************** *** 1366,1374 **** if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context, rqst2name(rqstp), ACL_MODIFY, NULL, NULL)) { ! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_modify_policy", ! prime_arg, client_name.value, service_name.value, ! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); ret.code = KADM5_AUTH_MODIFY; } else { ret.code = kadm5_modify_policy((void *)handle, &arg->rec, --- 1372,1379 ---- if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context, rqst2name(rqstp), ACL_MODIFY, NULL, NULL)) { ! log_unauth("kadm5_modify_policy", prime_arg, ! &client_name, &service_name, rqstp); ret.code = KADM5_AUTH_MODIFY; } else { ret.code = kadm5_modify_policy((void *)handle, &arg->rec, *************** *** 1378,1388 **** else errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); ! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_modify_policy", ! ((prime_arg == NULL) ? "(null)" : prime_arg), ! errmsg, ! client_name.value, service_name.value, ! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); } free_server_handle(handle); gss_release_buffer(&minor_stat, &client_name); --- 1383,1391 ---- else errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); ! log_done("kadm5_modify_policy", ! ((prime_arg == NULL) ? "(null)" : prime_arg), errmsg, ! &client_name, &service_name, rqstp); } free_server_handle(handle); gss_release_buffer(&minor_stat, &client_name); *************** *** 1464,1478 **** else errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); ! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, funcname, ! ((prime_arg == NULL) ? "(null)" : prime_arg), ! errmsg, ! client_name.value, service_name.value, ! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); } else { ! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, funcname, ! prime_arg, client_name.value, service_name.value, ! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); } free_server_handle(handle); gss_release_buffer(&minor_stat, &client_name); --- 1467,1478 ---- else errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); ! log_done(funcname, ! ((prime_arg == NULL) ? "(null)" : prime_arg), errmsg, ! &client_name, &service_name, rqstp); } else { ! log_unauth(funcname, prime_arg, ! &client_name, &service_name, rqstp); } free_server_handle(handle); gss_release_buffer(&minor_stat, &client_name); *************** *** 1517,1525 **** rqst2name(rqstp), ACL_LIST, NULL, NULL)) { ret.code = KADM5_AUTH_LIST; ! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_get_policies", ! prime_arg, client_name.value, service_name.value, ! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); } else { ret.code = kadm5_get_policies((void *)handle, arg->exp, &ret.pols, --- 1517,1524 ---- rqst2name(rqstp), ACL_LIST, NULL, NULL)) { ret.code = KADM5_AUTH_LIST; ! log_unauth("kadm5_get_policies", prime_arg, ! &client_name, &service_name, rqstp); } else { ret.code = kadm5_get_policies((void *)handle, arg->exp, &ret.pols, *************** *** 1529,1539 **** else errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); ! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_get_policies", ! prime_arg, ! errmsg, ! client_name.value, service_name.value, ! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); } free_server_handle(handle); gss_release_buffer(&minor_stat, &client_name); --- 1528,1535 ---- else errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); ! log_done("kadm5_get_policies", prime_arg, errmsg, ! &client_name, &service_name, rqstp); } free_server_handle(handle); gss_release_buffer(&minor_stat, &client_name); *************** *** 1573,1583 **** else errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); ! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_get_privs", ! client_name.value, ! errmsg, ! client_name.value, service_name.value, ! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); free_server_handle(handle); gss_release_buffer(&minor_stat, &client_name); --- 1569,1576 ---- else errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); ! log_done("kadm5_get_privs", client_name.value, errmsg, ! &client_name, &service_name, rqstp); free_server_handle(handle); gss_release_buffer(&minor_stat, &client_name); *************** *** 1594,1599 **** --- 1587,1594 ---- kadm5_server_handle_t handle; OM_uint32 minor_stat; char *errmsg = 0; + size_t clen, slen; + char *cdots, *sdots; xdr_free(xdr_generic_ret, &ret); *************** *** 1612,1625 **** if (ret.code != 0) errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); ! krb5_klog_syslog(LOG_NOTICE, LOG_DONE ", flavor=%d", ! (ret.api_version == KADM5_API_VERSION_1 ? ! "kadm5_init (V1)" : "kadm5_init"), ! client_name.value, ! (ret.code == 0) ? "success" : errmsg, ! client_name.value, service_name.value, ! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr), ! rqstp->rq_cred.oa_flavor); gss_release_buffer(&minor_stat, &client_name); gss_release_buffer(&minor_stat, &service_name); --- 1607,1628 ---- if (ret.code != 0) errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); ! else ! errmsg = "success"; ! ! clen = client_name.length; ! trunc_name(&clen, &cdots); ! slen = service_name.length; ! trunc_name(&slen, &sdots); ! krb5_klog_syslog(LOG_NOTICE, "Request: %s, %.*s%s, %s, " ! "client=%.*s%s, service=%.*s%s, addr=%s, flavor=%d", ! (ret.api_version == KADM5_API_VERSION_1 ? ! "kadm5_init (V1)" : "kadm5_init"), ! clen, client_name.value, cdots, errmsg, ! clen, client_name.value, cdots, ! slen, service_name.value, sdots, ! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr), ! rqstp->rq_cred.oa_flavor); gss_release_buffer(&minor_stat, &client_name); gss_release_buffer(&minor_stat, &service_name); *** src/kdc/do_tgs_req.c (revision 19480) --- src/kdc/do_tgs_req.c (local) *************** *** 489,516 **** newtransited = 1; } if (!isflagset (request->kdc_options, KDC_OPT_DISABLE_TRANSITED_CHECK)) { errcode = krb5_check_transited_list (kdc_context, &enc_tkt_reply.transited.tr_contents, krb5_princ_realm (kdc_context, header_ticket->enc_part2->client), krb5_princ_realm (kdc_context, request->server)); if (errcode == 0) { setflag (enc_tkt_reply.flags, TKT_FLG_TRANSIT_POLICY_CHECKED); } else if (errcode == KRB5KRB_AP_ERR_ILL_CR_TKT) krb5_klog_syslog (LOG_INFO, ! "bad realm transit path from '%s' to '%s' via '%.*s'", cname ? cname : "", sname ? sname : "", ! enc_tkt_reply.transited.tr_contents.length, ! enc_tkt_reply.transited.tr_contents.data); else { const char *emsg = krb5_get_error_message(kdc_context, errcode); krb5_klog_syslog (LOG_ERR, ! "unexpected error checking transit from '%s' to '%s' via '%.*s': %s", cname ? cname : "", sname ? sname : "", ! enc_tkt_reply.transited.tr_contents.length, enc_tkt_reply.transited.tr_contents.data, ! emsg); krb5_free_error_message(kdc_context, emsg); } } else --- 489,526 ---- newtransited = 1; } if (!isflagset (request->kdc_options, KDC_OPT_DISABLE_TRANSITED_CHECK)) { + unsigned int tlen; + char *tdots; + errcode = krb5_check_transited_list (kdc_context, &enc_tkt_reply.transited.tr_contents, krb5_princ_realm (kdc_context, header_ticket->enc_part2->client), krb5_princ_realm (kdc_context, request->server)); + tlen = enc_tkt_reply.transited.tr_contents.length; + tdots = tlen > 125 ? "..." : ""; + tlen = tlen > 125 ? 125 : tlen; + if (errcode == 0) { setflag (enc_tkt_reply.flags, TKT_FLG_TRANSIT_POLICY_CHECKED); } else if (errcode == KRB5KRB_AP_ERR_ILL_CR_TKT) krb5_klog_syslog (LOG_INFO, ! "bad realm transit path from '%s' to '%s' " ! "via '%.*s%s'", cname ? cname : "", sname ? sname : "", ! tlen, ! enc_tkt_reply.transited.tr_contents.data, ! tdots); else { const char *emsg = krb5_get_error_message(kdc_context, errcode); krb5_klog_syslog (LOG_ERR, ! "unexpected error checking transit from " ! "'%s' to '%s' via '%.*s%s': %s", cname ? cname : "", sname ? sname : "", ! tlen, enc_tkt_reply.transited.tr_contents.data, ! tdots, emsg); krb5_free_error_message(kdc_context, emsg); } } else *************** *** 542,547 **** --- 552,560 ---- if (!krb5_principal_compare(kdc_context, request->server, client2)) { if ((errcode = krb5_unparse_name(kdc_context, client2, &tmp))) tmp = 0; + if (tmp != NULL) + limit_string(tmp); + krb5_klog_syslog(LOG_INFO, "TGS_REQ %s: 2ND_TKT_MISMATCH: " "authtime %d, %s for %s, 2nd tkt client %s", *************** *** 816,821 **** --- 829,835 ---- krb5_klog_syslog(LOG_INFO, "TGS_REQ: issuing alternate TGT"); } else { + limit_string(sname); krb5_klog_syslog(LOG_INFO, "TGS_REQ: issuing TGT %s", sname); free(sname); *** src/kdc/kdc_util.c (revision 19480) --- src/kdc/kdc_util.c (local) *************** *** 404,409 **** --- 404,410 ---- krb5_db_free_principal(kdc_context, &server, nprincs); if (!krb5_unparse_name(kdc_context, ticket->server, &sname)) { + limit_string(sname); krb5_klog_syslog(LOG_ERR,"TGS_REQ: UNKNOWN SERVER: server='%s'", sname); free(sname); *** src/lib/kadm5/logger.c (revision 19480) --- src/lib/kadm5/logger.c (local) *************** *** 45,51 **** #include #endif /* HAVE_STDARG_H */ ! #define KRB5_KLOG_MAX_ERRMSG_SIZE 1024 #ifndef MAXHOSTNAMELEN #define MAXHOSTNAMELEN 256 #endif /* MAXHOSTNAMELEN */ --- 45,51 ---- #include #endif /* HAVE_STDARG_H */ ! #define KRB5_KLOG_MAX_ERRMSG_SIZE 2048 #ifndef MAXHOSTNAMELEN #define MAXHOSTNAMELEN 256 #endif /* MAXHOSTNAMELEN */ *************** *** 261,267 **** #endif /* HAVE_SYSLOG */ /* Now format the actual message */ ! #if HAVE_VSPRINTF vsprintf(cp, actual_format, ap); #else /* HAVE_VSPRINTF */ sprintf(cp, actual_format, ((int *) ap)[0], ((int *) ap)[1], --- 261,269 ---- #endif /* HAVE_SYSLOG */ /* Now format the actual message */ ! #if HAVE_VSNPRINTF ! vsnprintf(cp, sizeof(outbuf) - (cp - outbuf), actual_format, ap); ! #elif HAVE_VSPRINTF vsprintf(cp, actual_format, ap); #else /* HAVE_VSPRINTF */ sprintf(cp, actual_format, ((int *) ap)[0], ((int *) ap)[1], *************** *** 850,856 **** syslogp = &outbuf[strlen(outbuf)]; /* Now format the actual message */ ! #ifdef HAVE_VSPRINTF vsprintf(syslogp, format, arglist); #else /* HAVE_VSPRINTF */ sprintf(syslogp, format, ((int *) arglist)[0], ((int *) arglist)[1], --- 852,860 ---- syslogp = &outbuf[strlen(outbuf)]; /* Now format the actual message */ ! #ifdef HAVE_VSNPRINTF ! vsnprintf(syslogp, sizeof(outbuf) - (syslogp - outbuf), format, arglist); ! #elif HAVE_VSPRINTF vsprintf(syslogp, format, arglist); #else /* HAVE_VSPRINTF */ sprintf(syslogp, format, ((int *) arglist)[0], ((int *) arglist)[1],